Wireshark TCP troubleshooting to find out slowness issue

During packet capture we get lot of packets to get the high level view of the packet capture, we can do this going to Analyze–>Expert Info Composite it will show you the all the errors and warnings sorted in the list e.g In the below image you can see we are getting Window is full around 2437 warning and Zero Window around 122 warning

It means TCP was unable to process everything within its buffer and sent back a message to the client saying hey my window is full or I have a zero window don’t send any more data so why not start here this to mean means performance and obviously we are trying to troubleshoot a performance related issue so we are going to hit this little plus sign here and now it tells me all the packets where that problem is, we are going to pick any one it doesn’t matter which one you pick in this case we will take packet number 6328

Once we click on that packet it will take us to that packet.

As this is performance issue we will take a reference of latency and my reference is typically a delta time. To setup delta time go to View –> Time display format and we want to make sure its Second since previously displayed packet and select milliseconds options

Now in the time window it will show the time since previous displayed packet. So here packet 6322 comes around 13 milliseconds later.

Now we will setup the conversation filter to focus more on the particular tcp communication, to setup the filter right click on the traffic flow the click on Conversation Filter –>TCP

After filtering the traffic if you notice anything little different and this one has TCP Zero Window. Click on that packet

In the details you can see the culprit source 10.44.10.54 is telling that’s enough no more data that’s enough don’t send me any more data.

This shows that inability of the source to receive any more data that is causing the bottle neck in the application performance.